Unflappings

For anyone who is trying to access file shares inside local VM’s running windows Vista or Windows 7, the following article does a great job explaining what needs to be done in order to change the “Location” of the VMware NICs. Apparently by default Windows cannot figure out what or where they are, so it shoves them off in the Public location and disables most of their abilities. I tried the registry key fix and it worked flawlessly (albeit after a reboot).

This issue also arises if your virtual environment has a different domain than your physical host workstation, which was the case for me. This will prompt you to authenticate, but no matter what credentials you enter, the share login will be unsuccessful. Anyway, give this a shot.

http://aspoc.net/archives/2008/10/30/unidentified-network-issue-with-vmwares-virtual-nics-in-vista/

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

Purpose

The following steps allow you to convert a PFX certificate file in Windows Server to a PEM file. This is important since most Linux/Unix systems prefer a PEM format for certificate use, especially something like an Apache web server.

1. Download and install the Win32 OpenSSL (v0.9.8i) package from http://www.slproweb.com/products/Win32OpenSSL.html
2. Create the folder C:\certs and copy your exported PFX certificate file inot the C:\certs folder. The name yourcert.pfx is used in this example.
3. Go to Start, then click Run and type in “cmd” and press enter. This should bring up a command prompt which you can use to change into the OpenSSL bin directory.

cd %homedrive%\OpenSSL\bin

openssl pkcs12 -in C:\certs\yourcert.pfx -out c:\certs\newcertname.pem -nodes

4. This should convert the file from a PFX format to a PEM format, feel free to substitute your own name instead of “newcertname.pem”. Also be sure this command is entered as one line, regardless of how it appears on this site. When prompted, enter the password you used when exporting the PFX file from the Windows certificate store. You should then receive the message “MAC verified OK”.
5. Open “newcertname.pem” in notepad, and cut out the private key into C:\OpenSSL\bin\private\privatekey.pem (or another path and name as you see fit).
6. Also cut out the CA Certificate into C:\OpenSSL\bin\cacert.pem
7. Modify c:\OpenSSL\bin\openssl.cfg configuration file and change the [alt_names] to whichever alternative names you wish.
8. Create a new request, by typing the following commands.

openssl req -new -nodes -keyout privatekey.pem -out cert-request.pem

openssl ca -out issued-cert -in cert-request.pem

9. This should have created a new request and signed it with the CA’s private key. Keep in mind the path to these certificate files are not included here so make sure you are in the proper directory (i.e. the same directory) for those files.
10. If you get errors during this procedure, clear the index.txt and serial files within the OpenSSL directory to be sure it is working with a fresh batch. Below is the configuration file for OpenSSL and is to be used as reference. Not all of the configuration is the same, so be sure to double check names of certificates and paths.

Continue Reading »

This guide is mainly helpful for when you need to lock down a computer using GPO’s and Active Directory. The situation here is a group of users which need to be locked down to the bare minimum usability features. In addition, the computers in which these users sign on are in highly sensitive areas, requiring only certain user’s access to log in.  For example: You have 10 computers in an area in which you only want certain lucked down accounts access to log in. If an account is compromised that has greater privileges such as a more powerful user, they will not be able to log into the restricted machines.

• Create an Organizational Unit which holds all of the machines that need to be restricted. Mine is named ‘Lockdown Computers’
• Create a GPO and link it to the ‘Lockdown Computers’ OU.  This can be done by right clicking OU in Group Policy Management and selecting “Create and Link a GPO Here….”
• Right click on the newly created GPO and select “Edit…..”
  

  

  

  
  
• Under Computer Configuration, navigate to  Windows Settings –> Security Settings –> Local Policies –>User Rights Assignment
• In the Right Pane, find the policy that says “Allow Log on Locally” and “Allow Log on Through Terminal Services”
• In each Policy, under the “Security Policy Setting” tab, click on Add User or Group.
• The easiest method is to create a user group in Active Directory which contains the users you want to be able to log into the given machine. It usually is best to only select the accounts which will be working on the computer in the future, as well as the limited user log in. In addition, for both the policies, the Administrators group for the Domain Controller must be selected. Be careful which users  you select, you do not want to lock yourself out of a machine completely.
• Close out the Group Policy Editor, and navigate to the GPO which was just edited.
• Right click the GPO, and select “Enable”
• Next, open a command prompt on the server and enter “gpupdate /force”

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

Procedures

1. Navigate to Start | Control Panel | Add/Remove Programs | Add/Remove Windows Components

2. Networking Services | Details | Internet Authentication Service | Ok | Next | Finish | Close

Add RADIUS Clients

1. Navigate to Start | Administrative Tools | Internet Authentication Service

2. Right-click  RADIUS Clients | Click New RADIUS Client